The WordPress security team resolved three security issues, and this release also contains some additional security hardening.

The security fixes include :

Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.

Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user.

Fix insufficient input validation that could result in redirecting or leading a user to another website.

The additional security hardening include:

Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.